Methods and apparatus for secure connectionless uplink small data transmission

ABSTRACT

Certain aspects of the present disclosure generally relate to techniques for secure connectionless uplink transmissions by a wireless device. Such techniques may provide for negotiation of an encryption mechanism as part of the setup for connectionless transmissions and subsequent secure connectionless uplink transmissions.

CROSS-REFERENCE TO RELATED APPLICATION(S)

This application claims the benefit of U.S. Provisional Application Ser.No. 62/054,271, entitled METHODS AND APPARATUS FOR SECURE CONNECTIONLESSUPLINK SMALL DATA TRANSMISSION, filed Sep. 23, 2014, assigned to theassignee hereof and hereby expressly incorporated by reference herein.

BACKGROUND

I. Field

Certain aspects of the present disclosure generally relate to methodsand apparatus for performing secure uplink data transmissions from auser equipment (UE) with reduced signaling overhead.

II. Background

Wireless communication systems are widely deployed to provide varioustypes of communication content such as voice, data, and so on. Thesesystems may be multiple-access systems capable of supportingcommunication with multiple users by sharing the available systemresources (e.g., bandwidth and transmit power). Examples of suchmultiple-access systems include Code Division Multiple Access (CDMA)systems, Time Division Multiple Access (TDMA) systems, FrequencyDivision Multiple Access (FDMA) systems, 3^(rd) Generation PartnershipProject (3GPP) Long Term Evolution (LTE) systems, Long Term EvolutionAdvanced (LTE-A) systems, and Orthogonal Frequency Division MultipleAccess (OFDMA) systems.

Generally, a wireless multiple-access communication system cansimultaneously support communication for multiple wireless terminals.Each terminal communicates with one or more base stations viatransmissions on the forward and reverse links. The forward link (ordownlink) refers to the communication link from the base stations to theterminals, and the reverse link (or uplink) refers to the communicationlink from the terminals to the base stations. This communication linkmay be established via a single-input single-output, multiple-inputsingle-output or a multiple-input multiple-output (MIMO) system.

Certain types of devices, such as machine-type communications (MTC)devices may have only a small amount of data to send and may send thatdata relatively infrequently. In such cases, the amount of overheadnecessary to establish a network connection may by very high relative tothe actual data sent during the connection.

SUMMARY

Certain aspects of the present disclosure provide a method for wirelesscommunications by a user equipment (UE). The method generally includesestablishing, via a base station (BS), a secure connection with anetwork, negotiating, via the secure connection, an encryption mechanismfor the UE to use to transmit data without establishing a full radioresource control (RRC) connection, entering an idle mode afternegotiating the encryption mechanism, using the negotiated encryptionmechanism to encrypt data to be forwarded to the network, andtransmitting a packet containing the encrypted data to the BS withoutestablishing the full RRC connection.

Certain aspects of the present disclosure provide an apparatus forwireless communications by a user equipment (UE). The apparatusgenerally includes at least one processor configured to: establish, viaa base station (BS), a secure connection with a network, negotiate, viathe secure connection, an encryption mechanism for the UE to use totransmit data without establishing a full radio resource control (RRC)connection, enter an idle mode after negotiating the encryptionmechanism, use the negotiated encryption mechanism to encrypt data to betransmitted to the network, and transmit a packet containing theencrypted data to the BS without establishing the full RRC connection,and a memory coupled to the at least one processor.

Certain aspects of the present disclosure provide an apparatus forwireless communications by a user equipment (UE). The apparatusgenerally includes means for establishing, via a base station (BS), asecure connection with a network, means for negotiating, via the secureconnection, an encryption mechanism for the UE to use to transmit datawithout establishing a full radio resource control (RRC) connection,means for entering an idle mode after negotiating the encryptionmechanism, means for using the negotiated encryption mechanism toencrypt data to be forwarded to the network, and means for transmittinga packet containing the encrypted data to the BS without establishingthe full RRC connection.

Certain aspects of the present disclosure provide a computer-readablemedium for wireless communications by a user equipment (UE). Thecomputer-readable medium generally includes code which when executed byat least one processor, causes the UE to: establish, via a base station(BS), a secure connection with a network, negotiate, via the secureconnection, an encryption mechanism for the UE to use to transmit datawithout establishing a full radio resource control (RRC) connection,enter an idle mode after negotiating the encryption mechanism, use thenegotiated encryption mechanism to encrypt data to be transmitted to thenetwork, and transmit a packet containing the encrypted data to the BSwithout establishing the full RRC connection.

Certain aspects of the present disclosure provide a method for wirelesscommunications by a base station (BS). The method generally includesreceiving a packet comprising encrypted data from a user equipment (UE)that has not established a full radio resource control (RRC) connection,communicating with a network entity to perform authentication of the UE,receiving, from the network entity, decryption information fordecrypting the encrypted data after the network entity authenticates theUE, and using the decryption information to decrypt the encrypted data.

Certain aspects of the present disclosure provide an apparatus forwireless communications by a base station (BS). The apparatus generallyincludes at least one processor configured to: receive a packetcomprising encrypted data from a user equipment (UE) that has notestablished a full radio resource control (RRC) connection, communicatewith a network entity to perform authentication of the UE, receive, fromthe network entity, decryption information for decrypting the encrypteddata after the network entity authenticates the UE, and use thedecryption information to decrypt the encrypted data, and a memorycoupled to the at least one processor.

Certain aspects of the present disclosure provide an apparatus forwireless communications by a base station (BS). The apparatus generallyincludes means for receiving a packet comprising encrypted data from auser equipment (UE) that has not established a full radio resourcecontrol (RRC) connection, means for communicating with a network entityto perform authentication of the UE, means for receiving, from thenetwork entity, decryption information for decrypting the encrypted dataafter the network entity authenticates the UE, and means for using thedecryption information to decrypt the encrypted data.

Certain aspects of the present disclosure provide a computer-readablemedium for wireless communications by a base station (BS). Thecomputer-readable medium generally includes code which when executed byat least one processor, causes the BS to: receive a packet comprisingencrypted data from a user equipment (UE) that has not established afull radio resource control (RRC) connection, communicate with a networkentity to perform authentication of the UE, receive, from the networkentity, decryption information for decrypting the encrypted data afterthe network entity authenticates the UE, and use the decryptioninformation to decrypt the encrypted data.

Certain aspects of the present disclosure provide a method for wirelesscommunications by a network entity. The method generally includesestablishing, via a base station (BS), a secure connection with a userequipment (UE), negotiating, via the secure connection, an encryptionmechanism for the UE to use to transmit data without establishing a fullradio resource control (RRC) connection, communicating with the BS toperform authentication of the UE, wherein encrypted data is received ina packet by the BS from the UE, receiving the encrypted data from theBS, and using decryption information to decrypt the encrypted data.

Certain aspects of the present disclosure provide an apparatus forwireless communications by a network entity. The apparatus generallyincludes at least one processor configured to: establish, via a basestation (BS), a secure connection with a user equipment (UE), negotiate,via the secure connection, an encryption mechanism for the UE to use totransmit data without establishing a full radio resource control (RRC)connection, communicate with the BS to perform authentication of the UE,wherein encrypted data is received in a packet by the BS from the UE,receive the encrypted data from the BS, and use decryption informationto decrypt the encrypted data, and a memory coupled to the at least oneprocessor.

Certain aspects of the present disclosure provide an apparatus forwireless communications by a network entity. The apparatus generallyincludes means for establishing, via a base station (BS), a secureconnection with a user equipment (UE), means for negotiating, via thesecure connection, an encryption mechanism for the UE to use to transmitdata without establishing a full radio resource control (RRC)connection, means for communicating with the BS to performauthentication of the UE, wherein encrypted data is received in a packetby the BS from the UE, means for receiving the encrypted data from theBS, and means for using decryption information to decrypt the encrypteddata.

Certain aspects of the present disclosure provide a computer-readablemedium for wireless communications by a network entity. Thecomputer-readable medium generally includes code which when executed byat least one processor, causes the network entity to: establish, via abase station (BS), a secure connection with a user equipment (UE),negotiate, via the secure connection, an encryption mechanism for the UEto use to transmit data without establishing a full radio resourcecontrol (RRC) connection, communicate with the BS to performauthentication of the UE, wherein encrypted data is received in a packetby the BS from the UE, receive the encrypted data from the BS, and usedecryption information to decrypt the encrypted data.

Certain aspects of the present disclosure provide a method for wirelesscommunications by a network entity. The method generally includesestablishing, via a base station (BS), a secure connection with a userequipment (UE), negotiating, via the secure connection, an encryptionmechanism for the UE to use to transmit data without establishing a fullradio resource control (RRC) connection, communicating, with the BS thathas received a packet from the UE comprising encrypted data, to performauthentication of the UE, providing the BS decryption information fordecrypting the encrypted data after authenticating the UE, andreceiving, from the BS, data decrypted using the decryption information.

Certain aspects of the present disclosure provide an apparatus forwireless communications by a network entity. The apparatus generallyincludes at least one processor configured to: establish, via a basestation (BS), a secure connection with a user equipment (UE), negotiate,via the secure connection, an encryption mechanism for the UE to use totransmit data without establishing a full radio resource control (RRC)connection, communicate with the BS to perform authentication of the UE,wherein encrypted data is received in a packet by the BS from the UE,provide the BS decryption information for decrypting the encrypted dataafter authenticating the UE, and receive, from the BS, data decryptedusing the decryption information, and a memory coupled to the at leastone processor.

Certain aspects of the present disclosure provide an apparatus forwireless communications by a network entity. The apparatus generallyincludes means for establishing, via a base station (BS), a secureconnection with a user equipment (UE), means for negotiating, via thesecure connection, an encryption mechanism for the UE to use to transmitdata without establishing a full radio resource control (RRC)connection, means for communicating with the BS to performauthentication of the UE, wherein encrypted data is received in a packetby the BS from the UE, means for providing the BS decryption informationfor decrypting the encrypted data after authenticating the UE, and meansfor receiving, from the BS, data decrypted using the decryptioninformation.

Certain aspects of the present disclosure provide a computer-readablemedium for wireless communications by a network entity. Thecomputer-readable medium generally includes code which when executed byat least one processor, causes the network entity to: establish, via abase station (BS), a secure connection with a user equipment (UE),negotiate, via the secure connection, an encryption mechanism for the UEto use to transmit data without establishing a full radio resourcecontrol (RRC) connection, communicate with the BS to performauthentication of the UE, wherein encrypted data is received in a packetby the BS from the UE, provide the BS decryption information fordecrypting the encrypted data after authenticating the UE, and receive,from the BS, data decrypted using the decryption information.

Other embodiments include, without limitation, a computer-readablemedium comprising code, which when executed by at least one processor,performs one or more aspects of disclosed herein, as well as anapparatus having a processor and memory configured to implement one ormore of the aspects disclosed herein.

BRIEF DESCRIPTION OF THE DRAWINGS

Aspects and embodiments of the disclosure will become more apparent fromthe detailed description set forth below when taken in conjunction withthe drawings in which like reference characters identify correspondinglythroughout.

FIG. 1 illustrates an example multiple access wireless communicationsystem in accordance with certain aspects of the present disclosure.

FIG. 2 illustrates a block diagram of an access point and a userterminal in accordance with certain aspects of the present disclosure.

FIG. 3 illustrates various components that may be utilized in a wirelessdevice in accordance with certain aspects of the present disclosure.

FIG. 4 illustrates a message flow for an LTE RACH contention-basedprocedure, in accordance with certain aspects of the present disclosure.

FIG. 5 illustrates example operations that may be performed by a UE, inaccordance with certain aspects of the present disclosure.

FIG. 6 illustrates example operations that may be performed by a basestation (BS), in accordance with certain aspects of the presentdisclosure.

FIG. 7 illustrates example operations that may be performed by a networkentity, in accordance with certain aspects of the present disclosure.

FIG. 8 illustrates an example call flow for the negotiation of anencryption mechanism and setup of a connectionless transmission, inaccordance with certain aspects of the present disclosure.

FIG. 9 illustrates an example call flow for a secure connectionlessuplink data transmission(s), in accordance with certain aspects of thepresent disclosure.

FIG. 10 illustrates example operations that may be performed by anetwork entity, in accordance with certain aspects of the presentdisclosure.

DETAILED DESCRIPTION

Aspects of the present disclosure provide techniques that may allowcertain devices (e.g., machine-type communications (MTC) devices,enhanced MTC (eMTC) devices, etc.) to transmit data without the need toestablish a secure connection before transmitting the data. As will bedescribed in greater detail below, these techniques may involvenegotiation of an encryption mechanism as part of a setup for aconnectionless transmission and subsequent secure connectionless uplinktransmissions.

Various aspects of the disclosure are described more fully hereinafterwith reference to the accompanying drawings. This disclosure may,however, be embodied in many different forms and should not be construedas limited to any specific structure or function presented throughoutthis disclosure. Rather, these aspects are provided so that thisdisclosure will be thorough and complete, and will fully convey thescope of the disclosure to those skilled in the art. Based on theteachings herein one skilled in the art should appreciate that the scopeof the disclosure is intended to cover any aspect of the disclosuredisclosed herein, whether implemented independently of or combined withany other aspect of the disclosure. For example, an apparatus may beimplemented or a method may be practiced using any number of the aspectsset forth herein. In addition, the scope of the disclosure is intendedto cover such an apparatus or method which is practiced using otherstructure, functionality, or structure and functionality in addition toor other than the various aspects of the disclosure set forth herein. Itshould be understood that any aspect of the disclosure disclosed hereinmay be embodied by one or more elements of a claim.

The word “exemplary” is used herein to mean “serving as an example,instance, or illustration.” Any aspect described herein as “exemplary”is not necessarily to be construed as preferred or advantageous overother aspects.

Although particular aspects are described herein, many variations andpermutations of these aspects fall within the scope of the disclosure.Although some benefits and advantages of the preferred aspects arementioned, the scope of the disclosure is not intended to be limited toparticular benefits, uses, or objectives. Rather, aspects of thedisclosure are intended to be broadly applicable to different wirelesstechnologies, system configurations, networks, and transmissionprotocols, some of which are illustrated by way of example in thefigures and in the following description of the preferred aspects. Thedetailed description and drawings are merely illustrative of thedisclosure rather than limiting, the scope of the disclosure beingdefined by the appended claims and equivalents thereof.

The techniques described herein may be used for various wirelesscommunication networks such as Code Division Multiple Access (CDMA)networks, Time Division Multiple Access (TDMA) networks, FrequencyDivision Multiple Access (FDMA) networks, Orthogonal FDMA (OFDMA)networks, Single-Carrier FDMA (SC-FDMA) networks, etc. The terms“networks” and “systems” are often used interchangeably. A CDMA networkmay implement a radio technology such as Universal Terrestrial RadioAccess (UTRA), CDMA2000, etc. UTRA includes Wideband-CDMA (W-CDMA) andLow Chip Rate (LCR). CDMA2000 covers IS-2000, IS-95, and IS-856standards. A TDMA network may implement a radio technology such asGlobal System for Mobile Communications (GSM). An OFDMA network mayimplement a radio technology such as Evolved UTRA (E-UTRA), IEEE 802.11,IEEE 802.16, IEEE 802.20, Flash-OFDM®, etc. UTRA, E-UTRA, and GSM arepart of Universal Mobile Telecommunication System (UMTS). Long TermEvolution (LTE) and LTE-Advanced (LTE-A) are newer releases of UMTS thatuses E-UTRA. UTRA, E-UTRA, GSM, UMTS, and LTE are described in documentsfrom an organization named “3rd Generation Partnership Project” (3GPP).CDMA2000 is described in documents from an organization named “3rdGeneration Partnership Project 2” (3GPP2). For simplicity, “LTE” refersto LTE and LTE-A.

Single carrier frequency division multiple access (SC-FDMA) is atransmission technique that utilizes single carrier modulation at atransmitter side and frequency domain equalization at a receiver side.SC-FDMA has similar performance and essentially the same overallcomplexity as those of OFDMA system. However, SC-FDMA signal has lowerpeak-to-average power ratio (PAPR) because of its inherent singlecarrier structure. SC-FDMA has drawn great attention, especially in theuplink communications where lower PAPR greatly benefits the mobileterminal in terms of transmit power efficiency. It is currently aworking assumption for uplink multiple access scheme in 3GPP LTE andEvolved UTRA.

An access point (AP) may comprise, be implemented as, or known as NodeB, Radio Network Controller (RNC), eNodeB (eNB), Base Station Controller(BSC), Base Transceiver Station (BTS), Base Station (BS), TransceiverFunction (TF), Radio Router, Radio Transceiver, Basic Service Set (BSS),Extended Service Set (ESS), Radio Base Station (RBS), or some otherterminology.

An access terminal (AT) may comprise, be implemented as, or be known asan access terminal, a subscriber station, a subscriber unit, a mobilestation, a remote station, a remote terminal, a remote device, awireless device, a device, a user terminal, a user agent, a user device,user equipment (UE), a user station, machine-type communications (MTC)device or some other terminology. Examples of MTC devices includerobots, drones, various wireless sensors, monitors, detectors, meters,or other type data monitoring, generating, or relaying devices that maybe expected to operate (possibly unattended) for years on a singlebattery charge.

In some implementations, an access terminal may comprise a cellulartelephone, a smart phone, a cordless telephone, a Session InitiationProtocol (SIP) phone, a wireless local loop (WLL) station, a personaldigital assistant (PDA), a tablet, a netbook, a smartbook, an ultrabook,a handheld device having wireless connection capability, a Station(STA), or some other suitable processing device connected to a wirelessmodem. Accordingly, one or more aspects taught herein may beincorporated into a phone (e.g., a cellular phone, a smart phone), acomputer (e.g., a desktop), a portable communication device, a portablecomputing device (e.g., a laptop, a personal data assistant, a tablet, anetbook, a smartbook, an ultrabook), an entertainment device (e.g., amusic or video device, a gaming device, a satellite radio), apositioning system device (e.g., GPS, Beidou, GLONASS, Galileo), awearable device (e.g., smart watch, smart wristband, smart clothing,smart glasses, smart ring, smart bracelet) or any other suitable devicethat is configured to communicate via a wireless or wired medium. Insome aspects, the node is a wireless node. Such wireless node mayprovide, for example, connectivity for or to a network (e.g., a widearea network (WAN) such as the Internet or a cellular network) via awired or wireless communication link.

FIG. 1 shows a multiple access wireless communication system, which maybe an LTE network, in which aspects of the present disclosure may bepracticed.

As illustrated, an access point (AP) 100 may include multiple antennagroups, one group including antennas 104 and 106, another groupincluding antennas 108 and 110, and an additional group includingantennas 112 and 114. In FIG. 1, only two antennas are shown for eachantenna group, however, more or fewer antennas may be utilized for eachantenna group. Access terminal (AT) 116 may be in communication withantennas 112 and 114, where antennas 112 and 114 transmit information toAT 116 over forward link 120 and receive information from AT 116 overreverse link 118. AT 122 may be in communication with antennas 104 and106, where antennas 104 and 106 transmit information to AT 122 overforward link 126 and receive information from AT 122 over reverse link124. In a FDD (Frequency Division Duplex) system, communication links118, 120, 124, and 126 may use different frequencies for communication.For example, forward link 120 may use a different frequency than thatused by reverse link 118.

Each group of antennas and/or the area in which they are designed tocommunicate is often referred to as a sector of the AP. In one aspect ofthe present disclosure, each antenna group may be designed tocommunicate to ATs in a sector of the areas covered by AP 100.

AT 130 may be in communication with AP 100, where antennas from the AP100 transmit information to AT 130 over forward link 132 and receiveinformation from the AT 130 over reverse link 134. ATs 116, 122, and 130may be MTC devices.

In communication over forward links 120 and 126, the transmittingantennas of AP 100 may utilize beamforming in order to improve thesignal-to-noise ratio of forward links for the different ATs 116 and122. Also, an AP using beamforming to transmit to ATs scattered randomlythrough its coverage causes less interference to ATs in neighboringcells than an AP transmitting through a single antenna to all its ATs.

According to an aspect, one or more ATs 116, 122, 130 and AP(s) 100 maycommunicate with the core network (not shown). The AP 100 may beconnected by an S1 interface to the core network (not shown). The corenetwork may include a Mobility Management Entity (MME) (e.g., asillustrated in FIGS. 8-9), a Home Subscriber Server (HSS) (not shown), aServing Gateway (S-GW) (e.g., as illustrated in FIG. 9) and a PacketData Network (P-GW) Gateway (e.g., as illustrated in FIG. 9). The MME isthe control node that processes the signaling between the AT and thecore network. The MME may also perform various functions such asmobility management, bearer management, distribution of paging messages,security control, authentication, gateway selection, etc. The HSS isconnected to the MME and may perform various functions such asauthentication and authorization of the AT and may provide location andIP information to the MME. The S-GW may transfer user IP packets to theP-GW and may perform various functions such as packet routing andforwarding, mobility anchoring, packet buffering, initiation ofnetwork-triggered services, etc. The P-GW is connected to the Operator'sIP Services (now shown) and may provide UE IP address allocation as wellas other functions. The Operator's IP Services may include the Internet,the Intranet, an IP Multimedia Subsystem (IMS), and a PS StreamingService (PSS).

According to certain aspects presented herein, as will be described infurther detail below, the ATs (e.g., illustrated in FIG. 1) may transmitdata without the need to establish a secure connection via the AP to thenetwork (e.g., the MME, S-GW, P-GW, etc., illustrated in FIGS. 8-9)before transmitting the data.

FIG. 2 illustrates a block diagram of an aspect of a transmitter system210 (e.g., also known as the AP) and a receiver system 250 (e.g., alsoknown as the AT) in a multiple-input multiple-output (MIMO) system 200,according to aspects of the present disclosure. The transmitter system210 may be configured to perform BS-side operations described below withreference to FIG. 6, while receiver system 250 may be configured toperform UE-side operations described below with reference to FIG. 5.

Each of system 210 and system 250 has capabilities to both transmit andreceive. Whether system 210 or system 250 is transmitting, receiving, ortransmitting and receiving simultaneously depends on the application. Atthe transmitter system 210, traffic data for a number of data streams isprovided from a data source 212 to a transmit (TX) data processor 214.

In one aspect of the present disclosure, each data stream may betransmitted over a respective transmit antenna. TX data processor 214formats, codes, and interleaves the traffic data for each data streambased on a particular coding scheme selected for that data stream toprovide coded data.

The coded data for each data stream may be multiplexed with pilot datausing OFDM techniques. The pilot data is typically a known data patternthat is processed in a known manner and may be used at the receiversystem to estimate the channel response. The multiplexed pilot and codeddata for each data stream is then modulated (e.g., symbol mapped) basedon a particular modulation scheme (e.g., BPSK, QPSK, M-PSK, or M-QAM)selected for that data stream to provide modulation symbols. The datarate, coding, and modulation for each data stream may be determined byinstructions performed by controller/processor 230. Memory 232 may storedata and software/firmware for the transmitter system 210.

The modulation symbols for all data streams are then provided to a TXMIMO processor 220, which may further process the modulation symbols(e.g., for OFDM). TX MIMO processor 220 then provides N_(T) modulationsymbol streams to N_(T) transmitters (TMTR) 222 a through 222 t. Incertain aspects of the present disclosure, TX MIMO processor 220 appliesbeamforming weights to the symbols of the data streams and to theantenna from which the symbol is being transmitted.

Each transmitter 222 receives and processes a respective symbol streamto provide one or more analog signals, and further conditions (e.g.,amplifies, filters, and upconverts) the analog signals to provide amodulated signal suitable for transmission over the MIMO channel. N_(T)modulated signals from transmitters 222 a through 222 t are thentransmitted from N_(T) antennas 224 a through 224 t, respectively.

At receiver system 250, the transmitted modulated signals may bereceived by N_(R) antennas 252 a through 252 r and the received signalfrom each antenna 252 may be provided to a respective receiver (RCVR)254 a through 254 r. Each receiver 254 may condition (e.g., filters,amplifies, and downconverts) a respective received signal, digitize theconditioned signal to provide samples, and further process the samplesto provide a corresponding “received” symbol stream.

A receive (RX) data processor 260 then receives and processes the N_(R)received symbol streams from N_(R) receivers 254 based on a particularreceiver processing technique to provide N_(T) “detected” symbolstreams. The RX data processor 260 then demodulates, deinterleaves, anddecodes each detected symbol stream to recover the traffic data for thedata stream. The processing by RX data processor 260 may becomplementary to that performed by TX MIMO processor 220 and TX dataprocessor 214 at transmitter system 210.

A controller/processor 270 periodically determines which pre-codingmatrix to use. Controller/processor 270 formulates a reverse linkmessage comprising a matrix index portion and a rank value portion.Memory 272 may store data and software/firmware for the receiver system250. The reverse link message may comprise various types of informationregarding the communication link and/or the received data stream. Thereverse link message is then processed by a TX data processor 238, whichalso receives traffic data for a number of data streams from a datasource 236, modulated by a modulator 280, conditioned by transmitters254 a through 254 r, and transmitted back to transmitter system 210.

At transmitter system 210, the modulated signals from receiver system250 are received by antennas 224, conditioned by receivers 222,demodulated by a demodulator 240, and processed by a RX data processor242 to extract the reserve link message transmitted by the receiversystem 250. Controller/processor 230 then determines which pre-codingmatrix to use for determining the beamforming weights, and thenprocesses the extracted message.

According to certain aspects, the controllers/processors 230 and 270 maydirect the operation at the transmitter system 210 and the receiversystem 250, respectively. For example, the controller/processor 270, TXdata processor 238, RX data processor 260, and/or other controllers,processors and modules at the receiver system 250 may be configured toperform or direct operations described below with reference to FIG. 5and/or other operations for the techniques described herein. Accordingto another aspect, the controller/processor 230, TX data processor 214,RX data processor 242, and/or other controllers, processors and modulesat the transmitter system 210 may be configured to perform or directoperations described below with reference to FIG. 6 and/or otheroperations for the techniques described herein.

FIG. 3 illustrates various components that may be utilized in a wirelessdevice 302 that may be employed within the wireless communication systemillustrated in FIG. 1. The wireless device 302 is an example of a devicethat may be configured to implement the various methods describedherein. The wireless device 302 may be an access point (e.g., AP 100illustrated in FIG. 1), any of the access terminals (e.g., ATs 116, 122and 130 illustrated in FIG. 1), or a network entity (e.g., MMEillustrated in FIGS. 8-9).

The wireless device 302 may include a controller/processor 304 thatcontrols operation of the wireless device 302. The controller/processor304 may also be referred to as, e.g., a central processing unit (CPU).Memory 306, which may include read-only memory (ROM), random accessmemory (RAM), flash memory, phase change memory (PCM), providesinstructions and data to the controller/processor 304. A portion of thememory 306 may also include non-volatile random access memory (NVRAM).The controller/processor 304 typically performs logical and arithmeticoperations based on program instructions stored within the memory 306.The instructions in the memory 306 may be executable to implement themethods described herein, for example, to allow a UE to securelytransmit data during an uplink connectionless transmission.

The wireless device 302 may also include a housing 308 that may includea transmitter 310 and a receiver 312 to allow transmission and receptionof data between the wireless device 302 and a remote location. Thetransmitter 310 and receiver 312 may be combined into a transceiver 314.A single or a plurality of transmit antennas 316 may be attached to thehousing 308 and electrically coupled to the transceiver 314. Thewireless device 302 may also include (not shown) multiple transmitters,multiple receivers, and multiple transceivers.

The wireless device 302 may also include a signal detector 318 that maybe used in an effort to detect and quantify the level of signalsreceived by the transceiver 314. The signal detector 318 may detect suchsignals as total energy, energy per subcarrier per symbol, powerspectral density and other signals. The wireless device 302 may alsoinclude a digital signal processor (DSP) 320 for use in processingsignals.

The various components of the wireless device 302 may be coupledtogether by a bus system 322, which may include a power bus, a controlsignal bus, and a status signal bus in addition to a data bus. Thecontroller/processor 304 may be configured to access instructions storedin the memory 306 to perform the procedures for secure connectionlessuplink data transmission, in accordance with certain aspects of thepresent disclosure discussed below.

FIG. 4 illustrates a message flow 400 for an example LTE RACHcontention-based procedure, in accordance with certain aspects of thepresent disclosure. At 402, a UE may send a preamble (MSG 1), assumingan initial Timing Advance of zero for FDD. Typically, a preamble israndomly chosen by the UE among a set of preambles allocated on the celland may be linked to a requested size for MSG 3. At 404, an eNB may senda random access response (RAR) or MSG2. MSG 2 may also indicate a grantfor MSG 3. At 406, the UE may send MSG 3 using the grant. At 408, theeNB may decode MSG 3 and either echo back the RRC (Radio ResourceControl) signaling message or send an UL grant (e.g., DCI 0) scrambledwith a cell radio network temporary identifier (C-RNTI).

As noted above, certain types of devices, such as machine-typecommunications (MTC) devices and enhanced MTC (eMTC) devices, etc., maybe expected to be in a low power state (e.g., an idle state) for most ofthe time. However, in general, each time a mobile terminated (MT) ormobile originated (MO) data connection is required, the devicetransitions from the idle state to a connected state.

This transition typically entails several steps: random access andcontention resolution, radio resource control (RRC) connection setup,service request, security activation, data radio bearer (DRB)establishment, and the actual data transmission and reception. Forcertain devices (e.g., MTC devices, etc.), generally the above signalingoverhead is often much larger than the amount of data being exchanged.Moreover, in certain aspects, the device may not transition back to theidle state until data is transmitted and received. For example, incertain situations, the device may have to wait for an acknowledgement(ACK) before transitioning to the idle state, which is not powerefficient.

Accordingly, reducing the signaling overhead when transitioning from anidle mode to transmit and/or receive data may reduce the amount of powerconsumption. According to certain aspects presented herein, a UE (e.g.,a MTC device, AT(s) illustrated in FIG. 1, etc.) may perform aconnectionless access transmission so that the UE may transmit datawithout the overhead associated with entering a RRC connected mode.According to certain aspects, the connectionless access mode may allowfor fast transitions without requiring full RRC connection setup.According to another aspect, the RACH procedure (e.g., illustrated inFIG. 4) may be modified to provide for connectionless access.

As described above, according to certain aspects, in order to reduce theamount of signaling overhead associated with a data transmission, the UEmay transmit data without the overhead of first establishing aconnection (referred to herein as a connectionless access transmission),which may reduce power consumption. In some cases, however,connectionless transmission may not be secure. For example, according tocertain aspects, when the UE transmits a message (e.g., usingconnectionless access transmission), the UE and/or the network may notyet be authenticated.

Aspects of the present disclosure, however, allow a UE to negotiate anencryption mechanism prior to sending a connectionless transmission. Forexample, connectionless transmission is only used after successfulnegotiation. The UE may then use this encryption mechanism to encryptthe data sent in the connectionless transmission. A base station (e.g.,eNB) may then take steps to authenticate the UE with the network (e.g.,mobility management entity (MME)) and receive information (e.g., key,sequence number, etc.) it may then use to decrypt the encrypted data.

Accordingly, aspects of the present disclosure may allow for the securetransmission of data without the need to establish a secure connection(e.g., with the network) before transmitting the data.

FIGS. 5, 6, and 7 illustrate example operations that may be performed bydifferent entities involved in a secure connectionless transmission.

For example, FIG. 5 illustrates example operations 500 for secureconnectionless data transmission that may be performed, for example, bya UE (e.g., a MTC device, AT 116 in FIG. 1, receiver system 250 in FIG.2, or wireless device 302 in FIG. 3, etc.).

At 502, the UE establishes, via a base station (BS), a secure connectionwith a network. At 504, the UE negotiates, via the secure connection, anencryption mechanism for the UE to use to transmit data withoutestablishing a full radio resource control (RRC) connection. At 506, theUE enters an idle mode after negotiating the encryption mechanism. At508, the UE uses the negotiated encryption mechanism to encrypt data tobe forwarded to the network. At 510, the UE transmits a packetcontaining the encrypted data to the BS without establishing the fullRRC connection.

FIG. 6 illustrates example operations 600 that may be performed, forexample, by a BS (e.g., to provide for secure connectionless datatransmission by a UE). According to certain aspects, the BS may be theAP 100 in FIG. 1, transmitter system 210 in FIG. 2, wireless device 302in FIG. 3, etc.

At 602, the BS receives a packet comprising encrypted data from a userequipment (UE) that has not established a full radio resource control(RRC) connection. At 604, the BS communicates with a network entity toperform authentication of the UE. At 606, the BS receives, from thenetwork entity, decryption information for decrypting the encrypted dataafter the network entity authenticates the UE. At 608, the BS uses thedecryption information to decrypt the encrypted data.

FIG. 7 illustrates example operations 700 that may be performed, forexample, by a network entity to provide for secure connectionless datatransmission by a UE. According to certain aspects, the network entitymay be a MME (e.g., illustrated in FIGS. 8-9).

At 702, the MME establishes, via a base station (BS), a secureconnection with a user equipment (UE). At 704, the MME negotiates, viathe secure connection, an encryption mechanism for the UE to use totransmit data without establishing a full radio resource control (RRC)connection. At 706, the MME communicates, with the BS that has receiveda packet from the UE comprising encrypted data, to performauthentication of the UE. At 708, the MME provides the BS decryptioninformation for decrypting the encrypted data after authenticating theUE. At 710, the MME receives, from the BS, data decrypted using thedecryption information. As will be described in greater detail belowwith reference to FIG. 10, in some cases, an MME and S-GW may be asingle network entity and, rather than provide decryption information tothe BS, the entity may receive encrypted data from the BS and decrypt itusing the decryption information.

As mentioned above, according to certain aspects, before the UEtransmits a secure connectionless data transmission, the UE may firstnegotiate with the MME (e.g., via the BS) for negotiation of anencryption mechanism as part of the setup for connectionlesstransmission. According to certain aspects, the connectionless uplinkdata transmission may only be attempted after a successful negotiationand/or setup of the connectionless transmission.

FIG. 8 illustrates an example call flow diagram 800 that shows anexchange of messages between a UE 802, BS 804 and MME 806 (e.g., networkentity) for negotiation of an encryption mechanism as part of a setupfor connectionless transmission, in accordance with aspects of thepresent disclosure. The UE 802 may be any of a MTC device, AT 116 inFIG. 1, receiver system 250 in FIG. 2, or wireless device 302 in FIG. 3,etc. The BS 804 may be the AP 100 in FIG. 1, transmitter system 210 inFIG. 2, wireless device 302 in FIG. 3, etc.

According to certain aspects, as shown in step 1 of FIG. 8, the UE 802and MME 806 (e.g., network entity) may establish a secure connection,for example, via the eNodeB (eNB) 804. In certain aspects, the secureconnection may consist of a RRC connection and/or secure non-accessstratum (NAS) connection, implemented in accordance with existingstandards (e.g., for 3GPP LTE, etc.). For example, the secure connectionmay comprise at least one of a tracking area update (TAU) mechanismand/or attach procedure. In another aspect, the secure connection may beimplemented utilizing a new procedure (e.g., not defined by currentstandards).

As shown in steps 2 and 3 of FIG. 8 and described above with respect toFIGS. 5 and 7, the UE 802 and MME 806 may negotiate, via the secureconnection, an encryption mechanism for the UE to use to transmit datawithout establishing a full RRC connection. For example, as illustratedin step 2 of FIG. 8, the UE 802 may transmit, to the MME 806, aconnectionless setup request containing a list of one or more encryptionmechanisms supported by the UE 802 for connectionless transmission. Oncethe MME 806 receives the connectionless setup request, the MME 806 maytransmit a connection setup response comprising at least an indicationof the encryption mechanism to be used for connectionless transmission(e.g., as shown in step 3 of FIG. 8). The indicated encryption mechanismmay be information related to one of the encryption mechanisms supportedby the UE 802 and listed in the request (e.g., an initial sequencenumber, keys, etc.). In some cases, however, the connectionless setupresponse may indicate an encryption mechanism other than one listed bythe UE in the request.

According to certain aspects, as shown in step 4 of FIG. 8, if the MME806 and UE 802 successfully negotiated (e.g., the MME accepted theconnectionless setup request) for the encryption mechanism as part ofthe setup for the connectionless transmission, the connection may bereleased and the UE 802 may enter an idle mode. The UE 802 may attemptto use the connectionless transmission after successful negotiation(e.g., for some period of time or until indicated otherwise). The UE 802may use the connectionless transmission to transmit data withoutestablishing a full RRC connection between the UE 802 and the MME 806.For example, in one embodiment, the UE 802 may transmit data using theconnectionless transmission without entering RRC connected mode. In oneembodiment, the UE 802 may transmit data using the connectionlesstransmission without establishing at least one data radio bearer betweenthe UE 802 and the MME 806. Alternatively, if the MME 806 rejected orignored the request from the UE 802, the UE 802 may not attempt to useconnectionless transmission. Steps 3 and 4 may include stand-alonemessages or messages that are piggy-backed onto existing messages.

According to aspects provided herein, the connectionless setup requestmessage and connectionless setup response message may be provided as apart of existing NAS messages or may be provided via new messages.According to another aspect, the successful negotiation of theencryption mechanism and/or setup for connectionless transmission may bevalid for some period of time. For example, the successful negotiationmay expire upon the expiration of an expiration time (e.g., 24 hours, 48hours, etc.), may expire once the UE goes outside of a designated areafrom the eNB and/or network, or some other criteria (e.g., the networkmay revoke the negotiated encryption mechanism at any time).

FIG. 9 illustrates an example call flow diagram 900 for secureconnectionless UL data transmission (e.g., assuming operations shown inFIG. 8 have been performed). As described above (e.g., with respect toFIG. 8), in one aspect, the UE 802 may not attempt a secureconnectionless UL data transmission until after a successful negotiationof an encryption mechanism as part of the setup for connectionlesstransmission. The operations of FIG. 9 can happen multiple times withoutthe initial negotiation as in FIG. 8.

According to certain aspects, as described above, after successfulnegotiation of the encryption mechanism, the UE 802 may use thenegotiated encryption mechanism to encrypt the data to be forwarded tothe network (e.g., via the eNB). In an aspect, the UE 802 may thenrequest resources from the eNB 804 to transmit the packet containing theencrypted data. Accordingly, as shown in step 1 of FIG. 9, if the eNB804 provides the UE 802 with the requested resources, the UE 802 maythen transmit a packet containing the encrypted data to the eNB 804using the connectionless transmission. According to an aspect, the UE802 may use the connectionless transmission by transmitting the packetwithout establishing the full RRC connection (e.g., without establishingany data radio bearers between the UE and the MME 806, not entering RRCconnection mode, etc.). According to another aspect, the packet may betransmitted as part of a service request.

In some cases, the transmitted packet containing the encrypted data maycomprise a mechanism or means for the network to authenticate the UE802. For example, the mechanism or means may include at least one of amedium access control (MAC) or short MAC address of the UE 802.

As shown in step 2 of FIG. 9, after receiving a packet comprisingencrypted data from the UE 802 that is not in RRC connected mode, theeNB 804 may then communicate with the MME 806 (e.g., a network entity)to perform authentication of the UE 802. For example, as shown in FIG.9, the eNB 804 may transmit a message to the MME 806 with theauthentication information (e.g., MAC or short MAC address of the UE)received from the UE 802. In an aspect, the eNB 804 may also include itsaddress (e.g., eNB address) and/or tunneling information (e.g., S1TEID(s)(DL) (tunnel endpoint identifiers (downlink)) for user planetransmission.

As shown in step 3 of FIG. 9, once the MME 806 receives the message,from the eNB 804, containing the information (e.g., MAC or short MACaddress of the UE) needed to authenticate the UE 802, the MME 806 mayauthenticate the UE, for example, utilizing the MAC or short MAC addressof the UE.

As shown in step 4 of FIG. 9, the MME 806 may then provide decryptioninformation for decrypting the encrypted data to the eNB 804. Forexample, as shown in FIG. 9, the MME 806 may provide decryptioninformation (e.g., security context) to the eNB 804. In anotherembodiment, in addition to providing the eNB 804 decryption information,or in the alternative, the MME 806 may use the decryption information todecrypt the encrypted data. In an aspect, the MME 806 may also providethe serving gateway (S-GW) information (e.g., S-GW address) and/ortunneling information (e.g., S1 TEID(s) (UL) (tunnel endpointidentifiers (uplink)) to the eNB. In another aspect, the MME 806 mayprovide a MAC or short MAC address (to the eNB 804) for the UE 802 toauthenticate the network. As shown in step 5 of FIG. 9, the eNB 804 mayuse the decryption information received from the MME 806 to decrypt theencrypted data (e.g., small data packet, etc.) within the packettransmitted by the UE 802.

As shown in step 6 of FIG. 9, after successfully decrypting theencrypted data, the eNB 804 may send a message (e.g., an acknowledgement(ACK)) to the UE 802 acknowledging that the eNB 804 has successfullydecrypted the encrypted data. In certain aspects, this ACK may be anauthenticated ACK for the UE 802 to know that it had sent the message tothe right network. This secure ACK may be performed by the eNB 804including the MME provided MAC or short MAC in the ACK. In certainaspects, the message may comprise a paging message (thus allowing the UEto return to idle and wake up to check for paging messages indicating anacknowledgement). In an aspect, the ACK may be included in the pagingmessage, another message and/or separate resource after the pagingmessage. In another aspect, the mere transmission of the paging message,itself, may indicate acknowledgement that the eNB 804 has successfullydecrypted the encrypted data. For example, the paging message lets theUE 802 know that the connection is still active (in other words, nore-establishment, for example, using the procedure in FIG. 8 is needed).In yet another aspect, the message may comprise mechanism or means forthe UE 802 to authenticate the network. For example, the mechanism ormeans may include at least one of a MAC or short MAC address. Further,according to yet another aspect, the UE 802 may receive the messagewhile still in idle mode.

According to certain aspects, the UE, after transmitting the packet, maydetermine that the UE has not received an acknowledgment (ACK) that theeNB 804 has successfully decrypted the encrypted data (or receives anexplicit negative acknowledgement-NAK). In any case, the UE 802 mayretransmit the packet, in response to the determination.

According to certain aspects, after receiving the service request andauthenticating the UE 802, the MME 806, S-GW 902 and P-GW 904 maycoordinate to modify and/or update bearers in order to forward thetransmitted data packet (e.g., as shown in steps 7-10 of FIG. 9).

Note that the call flow illustrated in FIG. 9 illustrates merely oneexample of different entities involved in a secure connectionlesstransmission. For example, in some cases, the MME 806 and S-GW 902 maybe a common network entity. In this case, rather than MME 806 sendingdecryption information to the eNB, the eNB may send encrypted data andthe MME/S-GW may decode and decrypt the data using the decryptioninformation. FIG. 10 illustrates example operations 1000 such an entitymay perform. As illustrated, operations 1002-1006 may be the same asoperations 702-706 of FIG. 7 described above. However, rather thanproviding the BS decryption information for decrypting the encrypteddata after authenticating the UE (per 708) and receiving, from the BS,data decrypted using the decryption information (per 710), the entitymay receive encrypted data from the BS (at 1008) and use the decryptioninformation to decrypt the encrypted data (at 1010).

The various operations of methods described above may be performed byany suitable means capable of performing the corresponding functions oroperations. The means may include various hardware and/orsoftware/firmware component(s) and/or module(s), including, but notlimited to a circuit, an application specific integrated circuit (ASIC),or processor. Generally, where there are operations illustrated inFigures, those operations may be performed by corresponding functionalmeans capable of performing the operations. In one configuration, the UE802 includes means for establishing, via a base station (BS), a secureconnection with a network, means for negotiating, via the secureconnection, an encryption mechanism for the UE to use to transmit datawithout establishing a full radio resource control (RRC) connection,means for entering an idle mode after negotiating the encryptionmechanism, means for using the negotiated encryption mechanism toencrypt data to be forwarded to the network, and means for transmittinga packet containing the encrypted data to the BS without establishingthe full RRC connection. In one aspect, the aforementioned means may bethe antennas 252, transceivers 254, controller/processor 270, memory272, transmit data processor 238, receive data processor 260, modulator280, or combinations thereof, configured to perform the functionsrecited by the aforementioned means. In one configuration, the eNB 804includes means for receiving a packet comprising encrypted data from auser equipment (UE) that has not established a full radio resourcecontrol (RRC) connection, means for communicating with a network entityto perform authentication of the UE, means for receiving, from thenetwork entity, decryption information for decrypting the encrypted dataafter the network entity authenticates the UE, and means for using thedecryption information to decrypt the encrypted data. In one aspect, theaforementioned means may be the antennas 224, transceivers 222,controller/processor 230, memory 232, transmit data processor 214,transmit MIMO processor 220, receive data processor 242, demodulator240, or combinations thereof, configured to perform the functionsrecited by the aforementioned means.

As used herein, the term “determining” encompasses a wide variety ofactions. For example, “determining” may include calculating, computing,processing, deriving, investigating, looking up (e.g., looking up in atable, a database or another data structure), ascertaining and the like.Also, “determining” may include receiving (e.g., receiving information),accessing (e.g., accessing data in a memory) and the like. Also,“determining” may include resolving, selecting, choosing, establishingand the like.

As used herein, a phrase referring to “at least one of” a list of itemsrefers to any combination of those items, including single members andduplicate members. As an example, “at least one of: a, b, or c” isintended to cover: a, b, c, a-b, a-c, b-c, a-b-c, aa, abb, abccc, andetc.

The various illustrative logical blocks, modules and circuits describedin connection with the present disclosure may be implemented orperformed with a general purpose processor, a digital signal processor(DSP), an application specific integrated circuit (ASIC), a fieldprogrammable gate array signal (FPGA) or other programmable logic device(PLD), discrete gate or transistor logic, discrete hardware componentsor any combination thereof designed to perform the functions describedherein. A general purpose processor may be a microprocessor, but in thealternative, the processor may be any commercially available processor,controller, microcontroller or state machine. A processor may also beimplemented as a combination of computing devices, e.g., a combinationof a DSP and a microprocessor, a plurality of microprocessors, one ormore microprocessors in conjunction with a DSP core, or any other suchconfiguration.

The steps of a method or algorithm described in connection with thepresent disclosure may be embodied directly in hardware, in asoftware/firmware module executed by a processor, or in a combination ofthe two. A software/firmware module may reside in any form of storagemedium that is known in the art. Some examples of storage media that maybe used include random access memory (RAM), read only memory (ROM),flash memory, EPROM memory, EEPROM memory, phase change memory (PCM),registers, a hard disk, a removable disk, a CD-ROM and so forth. Asoftware/firmware module may comprise a single instruction, or manyinstructions, and may be distributed over several different codesegments, among different programs, and across multiple storage media. Astorage medium may be coupled to a processor such that the processor canread information from, and write information to, the storage medium. Inthe alternative, the storage medium may be integral to the processor.

The methods disclosed herein comprise one or more steps or actions forachieving the described method. The method steps and/or actions may beinterchanged with one another without departing from the scope of theclaims. In other words, unless a specific order of steps or actions isspecified, the order and/or use of specific steps and/or actions may bemodified without departing from the scope of the claims.

The functions described may be implemented in hardware,software/firmware, or a combination thereof. If implemented insoftware/firmware, the functions may be stored as one or moreinstructions on a computer-readable medium. A storage media may be anyavailable media that can be accessed by a computer. By way of example,and not limitation, such computer-readable media can comprise RAM, ROM,PCM (phase change memory), EEPROM, CD-ROM or other optical disk storage,magnetic disk storage or other magnetic storage devices, or any othermedium that can be used to carry or store desired program code in theform of instructions or data structures and that can be accessed by acomputer. Disk and disc, as used herein, include compact disc (CD),laser disc, optical disc, digital versatile disc (DVD), floppy disk, andBlu-ray® disc where disks usually reproduce data magnetically, whilediscs reproduce data optically with lasers.

Thus, certain aspects may comprise a computer program product forperforming the operations presented herein. For example, such a computerprogram product may comprise a computer readable medium havinginstructions stored (and/or encoded) thereon, the instructions beingexecutable by one or more processors to perform the operations describedherein. For certain aspects, the computer program product may includepackaging material.

Software/firmware or instructions may also be transmitted over atransmission medium. For example, if the software/firmware istransmitted from a website, server, or other remote source using acoaxial cable, fiber optic cable, twisted pair, digital subscriber line(DSL), or wireless technologies such as infrared, radio, and microwave,then the coaxial cable, fiber optic cable, twisted pair, DSL, orwireless technologies such as infrared, radio, and microwave areincluded in the definition of transmission medium.

Further, it should be appreciated that modules and/or other appropriatemeans for performing the methods and techniques described herein can bedownloaded and/or otherwise obtained by a user terminal and/or basestation as applicable. For example, such a device can be coupled to aserver to facilitate the transfer of means for performing the methodsdescribed herein. Alternatively, various methods described herein can beprovided via storage means (e.g., RAM, ROM, a physical storage mediumsuch as a compact disc (CD) or floppy disk, etc.), such that a userterminal and/or base station can obtain the various methods uponcoupling or providing the storage means to the device. Moreover, anyother suitable technique for providing the methods and techniquesdescribed herein to a device can be utilized.

It is to be understood that the claims are not limited to the preciseconfiguration and components illustrated above. Various modifications,changes and variations may be made in the arrangement, operation anddetails of the methods and apparatus described above without departingfrom the scope of the claims.

While the foregoing is directed to aspects of the present disclosure,other and further aspects of the disclosure may be devised withoutdeparting from the basic scope thereof, and the scope thereof isdetermined by the claims that follow.

What is claimed is:
 1. A method for wireless communications by a userequipment (UE), comprising: establishing, via a base station (BS), asecure connection with a network, wherein establishing the secureconnection comprises at least one of a tracking area update (TAU) orattach procedure; negotiating, via the secure connection, an encryptionmechanism for the UE to use to transmit data without establishing a fullradio resource control (RRC) connection; entering an idle mode afternegotiating the encryption mechanism; using the negotiated encryptionmechanism to encrypt data to be transmitted to the network; andtransmitting a packet comprising the encrypted data to the BS withoutestablishing the full RRC connection.
 2. The method of claim 1, whereinthe negotiating comprises: transmitting a request for connectionlesssetup, wherein the request indicates one or more encryption mechanismssupported by the UE; and receiving a response indicating one of thesupported encryption mechanisms.
 3. The method of claim 1, furthercomprising: transmitting, to the BS, a request for resources fortransmitting the packet comprising the encrypted data.
 4. The method ofclaim 1, wherein the packet further comprises a mechanism for thenetwork to authenticate the UE, and wherein the mechanism comprises atleast one of a medium access control (MAC) or short MAC address.
 5. Themethod of claim 1, wherein establishing the full RRC connectioncomprises establishing at least one data radio bearer between the UE andthe network.
 6. The method of claim 1, further comprising, aftertransmitting the packet, receiving a message acknowledging that the BShas successfully decrypted the encrypted data.
 7. The method of claim 6,wherein the message comprises a paging message.
 8. The method of claim7, wherein transmission of the paging message indicates acknowledgementthat the BS has successfully decrypted the encrypted data.
 9. The methodof claim 6, wherein the message comprises a mechanism for the UE toauthenticate the network.
 10. The method of claim 9, wherein themechanism comprises at least one of a medium access control (MAC) orshort MAC address.
 11. The method of claim 1, further comprising, aftertransmitting the packet: determining the UE has not received anacknowledgement that the BS has successfully decrypted the encrypteddata; and retransmitting the packet in response to the determination.12. A method for wireless communications by a base station (BS),comprising: receiving a packet comprising encrypted data from a userequipment (UE) that has not established a full radio resource control(RRC) connection; communicating with a network entity to performauthentication of the UE; receiving, from the network entity, decryptioninformation for decrypting the encrypted data after the network entityauthenticates the UE; using the decryption information to decrypt theencrypted data; and after successfully decrypting the encrypted data,transmitting a message to the UE acknowledging that the BS hassuccessfully decrypted the encrypted data.
 13. The method of claim 12,wherein: the packet further comprises a mechanism for the network entityto authenticate the UE; and communicating with the network entity toperform authentication of the UE comprises providing the mechanism tothe network entity.
 14. The method of claim 13, wherein the mechanismcomprises at least one of a medium access control (MAC) or short MACaddress.
 15. The method of claim 12, wherein the message comprises apaging message.
 16. The method of claim 15, wherein transmission of thepaging message indicates acknowledgement that the BS has successfullydecrypted the encrypted data.
 17. The method of claim 12, wherein themessage comprises a mechanism for the UE to authenticate the networkentity, and wherein the mechanism comprises at least one of a mediumaccess control (MAC) or short MAC address.
 18. The method of claim 12,wherein the establishment of the full RRC connection comprises anestablishment of at least one data radio bearer between the UE and thenetwork entity.
 19. A method for wireless communications by a networkentity, comprising: establishing, via a base station (BS), a secureconnection with a user equipment (UE); negotiating, via the secureconnection, an encryption mechanism for the UE to use to transmit datawithout establishing a full radio resource control (RRC) connection,wherein the negotiating comprises: receiving a request from the UE forconnectionless setup, wherein the request indicates one or moreencryption mechanisms supported by the UE; and transmitting a responseindicating one of the supported encryption mechanisms; communicatingwith the BS to perform authentication of the UE, wherein encrypted datais received in a packet by the BS from the UE; providing the BSdecryption information for decrypting the encrypted data afterauthenticating the UE; and receiving, from the BS, data decrypted usingthe decryption information.
 20. The method of claim 19, furthercomprising: receiving, from the BS, at least one mechanism in the packetfor the network entity to authenticate the UE; and using the at leastone mechanism to authenticate the UE, wherein the at least one mechanismcomprises at least one of a medium access control (MAC) or short MACaddress.
 21. The method of claim 19, wherein establishing the full RRCconnection comprises establishing at least one data radio bearer betweenthe UE and the network entity.
 22. The method of claim 19, furthercomprising, after authenticating the UE, providing the BS with at leastone mechanism for the UE to authenticate the network entity, wherein theat least one mechanism comprises at least one of a medium access control(MAC) or short MAC address.
 23. A method for wireless communications bya network entity, comprising: establishing, via a base station (BS), asecure connection with a user equipment (UE); negotiating, via thesecure connection, an encryption mechanism for the UE to use to transmitdata without establishing a full radio resource control (RRC)connection, wherein the negotiating comprises: receiving a request fromthe UE for connectionless setup, wherein the request indicates one ormore encryption mechanisms supported by the UE; and transmitting aresponse indicating one of the supported encryption mechanisms;communicating with the BS to perform authentication of the UE, whereinencrypted data is received in a packet by the BS from the UE; receivingthe encrypted data from the BS; and using decryption information todecrypt the encrypted data.
 24. The method of claim 23, furthercomprising: receiving, from the BS, at least one mechanism in the packetfor the network entity to authenticate the UE; and using the at leastone mechanism to authenticate the UE, wherein the at least one mechanismcomprises at least one of a medium access control (MAC) or short MACaddress.
 25. The method of claim 23, wherein establishing the full RRCconnection comprises establishing at least one data radio bearer betweenthe UE and the network entity.
 26. The method of claim 23, furthercomprising, after authenticating the UE, providing the BS with at leastone mechanism for the UE to authenticate the network entity, wherein theat least one mechanism comprises at least one of a medium access control(MAC) or short MAC address.